certificate verifcation does not work with newSSL

Bug #643787 reported by Samuele Pedroni
30
This bug affects 5 people
Affects Status Importance Assigned to Milestone
erlang (Ubuntu)
Fix Released
High
Samuele Pedroni
Karmic
Won't Fix
Undecided
Unassigned
Lucid
Fix Released
Undecided
Unassigned
Maverick
Fix Released
High
Samuele Pedroni

Bug Description

Binary package hint: erlang

affects Lucid, Maverick erlang

it is not possible to perform a working verification of certificates when establishing a SSL connection with the newSSL implementation in R13

this affects the possibility of secure replication for desktopcouch for example.

a more detailed upstream discussion of the issues can be found at:

http://www.erlang.org/cgi-bin/ezmlm-cgi?2:mss:2005:201009:nkpigljldefpimkjppbn

tags: added: desktop+ foundations+ u1-lucid-sru u1-maverick
Changed in erlang (Ubuntu):
status: New → Triaged
importance: Undecided → High
assignee: nobody → Samuele Pedroni (pedronis)
status: Triaged → In Progress
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package erlang - 1:13.b.3-dfsg-2ubuntu3

---------------
erlang (1:13.b.3-dfsg-2ubuntu3) maverick; urgency=low

  * fix for ssl certificate verification in newSSL: ssl_cacertfile_fix.patch
    (LP: #643787)
 -- <email address hidden> (Samuele Pedroni (Canonical Services Ltd.)) Fri, 24 Sep 2010 09:35:12 +0200

Changed in erlang (Ubuntu Maverick):
status: In Progress → Fix Released
Revision history for this message
Elliot Murphy (statik) wrote :

This fix is a prerequisite for LP: #422178. I am attaching the debdiff per https://wiki.ubuntu.com/StableReleaseUpdates

This is a patch from upstream Erlang developers in Erlang/OTP team at Ericsson which fixes a serious problem in the SSL library that was preventing SSL host certificate verification from happening (we discovered the problem while working on CouchDB).

Revision history for this message
Elliot Murphy (statik) wrote :

Samuele, could you add the test program that Filipe was using to verify the SSL fix so that it will be easier to validate this fix?

Revision history for this message
Samuele Pedroni (pedronis) wrote :

attaching an erlang script to try, it should fail with the old packaged erlang and work with the new one (except for a warning about a certificate that cannot be parsed)

it can be run thus:

$erl
>l(new_ssl_test).
>new_ssl_test:test().

Revision history for this message
Martin Pitt (pitti) wrote : Please test proposed package

Accepted erlang into lucid-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Changed in erlang (Ubuntu Lucid):
status: New → Fix Committed
tags: added: verification-needed
Revision history for this message
Martin Pitt (pitti) wrote :

The uploaded karmic package is a backport from lucid, which introduces a lot of new upstream versions and changes. This is not at all what an SRU is supposed to do. Can we please just backport the SSL fix?

Even if this was acceptable, if an upload introduces more than just the last changelog record, it needs to be built with -v<version in karmic/-updates/-security>. Rejecting karmic upload.

Revision history for this message
Rick McBride (rmcbride) wrote :

Samuele,

I'm trying to do the SRU verification on this (for lucid-proposed), however the directions provided result only in

** exception error: undefined function new_ssl_test:test/0

in Eshell.

Any ideas?

Revision history for this message
Rick McBride (rmcbride) wrote :

I have a test set to test through couchdb provided by Eric C, however...

there's significant conflict in the dependencies of other erlang packages.

In particular,

erlang-inets: Depends: erlang-ssl (= 1:13.b.3-dfsg-2ubuntu2) but it is not going to be installed

erlang-xmerl also shows issues with the new version installed on Lucid.

It appears as if the combined and very finicky version deps in erlang result in a broken erlang installation when 1:13.b.3-dfsg-2ubuntu2.1 is installed.

Changed in erlang (Ubuntu Lucid):
status: Fix Committed → In Progress
Revision history for this message
Rick McBride (rmcbride) wrote :

since the fixed verison of erlang-ssl breaks erlang installations on Lucid (see previous note from me) this cannot be verified. Packaging fixes will be required for multiple erlang-* packages for this to work.

tags: added: verification-failed
removed: verification-needed
Revision history for this message
Rick McBride (rmcbride) wrote :

I haven't tracked through all of the Depends: lines, but the observed behavior is that installing the patched erlang-ssl package UNINSTALLS a significant number of other erlang packages. Likewise, installing erlang-xmerl after the patched erlang-ssl uninstalls the patched erlang-ssl and a number of other packages that appear to have been updated at the same time.

Revision history for this message
Samuele Pedroni (pedronis) wrote :

sorry, my fault I gave the instruction that work if the script is already compiled, you need:

pedronis@ubuntu-desktop:~/scratch/packaging$ erl
Erlang R13B03 (erts-5.7.4) [source] [rq:1] [async-threads:0] [hipe] [kernel-poll:false]

Eshell V5.7.4 (abort with ^G)
1> c(new_ssl_test).
{ok,new_ssl_test}
2> new_ssl_test:test().

very sorry.

Revision history for this message
Samuele Pedroni (pedronis) wrote :

don't think the new package changes in any way how the costellation of erlang packages behave on upgrade, so whatever deps problem on upgrade there are they were there for previous versions as well

Revision history for this message
James Henstridge (jamesh) wrote :

Rick: when you ran into these problems, did you have the ubuntuone hackers private PPA enabled? That archive has had a package with a newer version number than the one in lucid-proposed.

When I disabled the ubuntuone hackers PPA and downgraded to the stock lucid packages, I didn't see any of these errors you reported (either from "apt-get upgrade" or "apt-get install erlang-ssl"). Samuele's new_ssl_test script appears to function after installing the lucid-propsed packages.

If I reinstall the erlang packages from the ubuntuone hackers PPA and then try to install any of the lucid-proposed packages, I do get errors similar to what you describe, but that is to be expected when we're talking about a downgrade.

Does this sound anything like what you experienced?

Revision history for this message
Rick McBride (rmcbride) wrote :

James:

What appears to have happened is that in configuring lucid-proposed as suggested in the SRU related instructions (restricted to install only what is requested) that aptitude was somehow unable to completely resolve all of the dependencies. by configuring lucid-proposed as a normal repository got a successful upgrade (but unfortunately installed many other un-related packages that are in proposed on the test system.

I'm retracting my tag change and re-running the validation.

tags: added: verification-needed
removed: verification-failed
Revision history for this message
Rick McBride (rmcbride) wrote :

After the change described in my above entry, Samuele's updated instructions (his above) test as described, including the warning that is expected for the unparsable cert.

tags: added: verification-done
removed: verification-needed
Revision history for this message
Rick McBride (rmcbride) wrote :

above verification was in Lucid

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package erlang - 1:13.b.3-dfsg-2ubuntu2.1

---------------
erlang (1:13.b.3-dfsg-2ubuntu2.1) lucid-proposed; urgency=low

  [ Samuele Pedroni ]
  * fix for ssl certificate verification in newSSL: ssl_cacertfile_fix.patch
    (LP: #643787)
 -- Elliot Murphy <email address hidden> Thu, 30 Sep 2010 14:48:32 -0400

Changed in erlang (Ubuntu Lucid):
status: In Progress → Fix Released
Revision history for this message
Mossroy (mossroy) wrote :

Does this bug also affect Jaunty?
I am indeed running ejabberd (based on erlang) on a jaunty server, with a self-signed ssl certificate. Do I have a potential security risk?
Jaunty is supposed to be supported until the end of this month (precisely Oct 23th according to https://wiki.ubuntu.com/Releases)

I know that the end-of-life is very soon and I should upgrade my server to keep it secure.
But the processor of this server (a Sheevaplug http://en.wikipedia.org/wiki/SheevaPlug) is an armv5, which is no longer supported since Karmic (see http://plugcomputer.org/plugforum/index.php?topic=885.0). So the upgrade of Ubuntu is not possible : I will have to reinstall it with Debian, which I would like to avoid until really necessary

Fermí Tanyà (fermi-t)
Changed in erlang (Ubuntu Lucid):
status: Fix Released → Fix Committed
status: Fix Committed → Fix Released
Revision history for this message
Rolf Leggewie (r0lf) wrote :

Karmic has long since stopped to receive any updates. Marking the Karmic task for this ticket as "Won't Fix".

Changed in erlang (Ubuntu Karmic):
status: New → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.